Re: [PATCH net] geneve: make sure to pull inner header in geneve_rx()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jiri Pirko <jiri@resnulli.us>
To: Eric Dumazet <edumazet@google.com>
Cc: "David S . Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	David Ahern <dsahern@kernel.org>,
	netdev@vger.kernel.org, Florian Westphal <fw@strlen.de>,
	eric.dumazet@gmail.com,
	syzbot+6a1423ff3f97159aae64@syzkaller.appspotmail.com
Subject: Re: [PATCH net] geneve: make sure to pull inner header in geneve_rx()
Date: Thu, 29 Feb 2024 14:55:22 +0100	[thread overview]
Message-ID: <ZeCMygAPmudDnqbS@nanopsycho> (raw)
In-Reply-To: <20240229131152.3159794-1-edumazet@google.com>

Thu, Feb 29, 2024 at 02:11:52PM CET, edumazet@google.com wrote:
>syzbot triggered a bug in geneve_rx() [1]
>
>Issue is similar to the one I fixed in commit 8d975c15c0cd
>("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()")
>
>We have to save skb->network_header in a temporary variable
>in order to be able to recompute the network_header pointer
>after a pskb_inet_may_pull() call.
>
>pskb_inet_may_pull() makes sure the needed headers are in skb->head.
>
>[1]
>BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]
> BUG: KMSAN: uninit-value in geneve_rx drivers/net/geneve.c:279 [inline]
> BUG: KMSAN: uninit-value in geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391
>  IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]
>  geneve_rx drivers/net/geneve.c:279 [inline]
>  geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391
>  udp_queue_rcv_one_skb+0x1d39/0x1f20 net/ipv4/udp.c:2108
>  udp_queue_rcv_skb+0x6ae/0x6e0 net/ipv4/udp.c:2186
>  udp_unicast_rcv_skb+0x184/0x4b0 net/ipv4/udp.c:2346
>  __udp4_lib_rcv+0x1c6b/0x3010 net/ipv4/udp.c:2422
>  udp_rcv+0x7d/0xa0 net/ipv4/udp.c:2604
>  ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205
>  ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233
>  NF_HOOK include/linux/netfilter.h:314 [inline]
>  ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254
>  dst_input include/net/dst.h:461 [inline]
>  ip_rcv_finish net/ipv4/ip_input.c:449 [inline]
>  NF_HOOK include/linux/netfilter.h:314 [inline]
>  ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569
>  __netif_receive_skb_one_core net/core/dev.c:5534 [inline]
>  __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648
>  process_backlog+0x480/0x8b0 net/core/dev.c:5976
>  __napi_poll+0xe3/0x980 net/core/dev.c:6576
>  napi_poll net/core/dev.c:6645 [inline]
>  net_rx_action+0x8b8/0x1870 net/core/dev.c:6778
>  __do_softirq+0x1b7/0x7c5 kernel/softirq.c:553
>  do_softirq+0x9a/0xf0 kernel/softirq.c:454
>  __local_bh_enable_ip+0x9b/0xa0 kernel/softirq.c:381
>  local_bh_enable include/linux/bottom_half.h:33 [inline]
>  rcu_read_unlock_bh include/linux/rcupdate.h:820 [inline]
>  __dev_queue_xmit+0x2768/0x51c0 net/core/dev.c:4378
>  dev_queue_xmit include/linux/netdevice.h:3171 [inline]
>  packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
>  packet_snd net/packet/af_packet.c:3081 [inline]
>  packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113
>  sock_sendmsg_nosec net/socket.c:730 [inline]
>  __sock_sendmsg net/socket.c:745 [inline]
>  __sys_sendto+0x735/0xa10 net/socket.c:2191
>  __do_sys_sendto net/socket.c:2203 [inline]
>  __se_sys_sendto net/socket.c:2199 [inline]
>  __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
>  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x63/0x6b
>
>Uninit was created at:
>  slab_post_alloc_hook mm/slub.c:3819 [inline]
>  slab_alloc_node mm/slub.c:3860 [inline]
>  kmem_cache_alloc_node+0x5cb/0xbc0 mm/slub.c:3903
>  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560
>  __alloc_skb+0x352/0x790 net/core/skbuff.c:651
>  alloc_skb include/linux/skbuff.h:1296 [inline]
>  alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6394
>  sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2783
>  packet_alloc_skb net/packet/af_packet.c:2930 [inline]
>  packet_snd net/packet/af_packet.c:3024 [inline]
>  packet_sendmsg+0x70c2/0x9f10 net/packet/af_packet.c:3113
>  sock_sendmsg_nosec net/socket.c:730 [inline]
>  __sock_sendmsg net/socket.c:745 [inline]
>  __sys_sendto+0x735/0xa10 net/socket.c:2191
>  __do_sys_sendto net/socket.c:2203 [inline]
>  __se_sys_sendto net/socket.c:2199 [inline]
>  __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
>  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x63/0x6b
>
>Fixes: 2d07dc79fe04 ("John W. Linville <linville@tuxdriver.com>")

Odd commit name :)
Fixes: 2d07dc79fe04 ("geneve: add initial netdev driver for GENEVE tunnels")


>Reported-and-tested-by: syzbot+6a1423ff3f97159aae64@syzkaller.appspotmail.com
>Signed-off-by: Eric Dumazet <edumazet@google.com>

Reviewed-by: Jiri Pirko <jiri@nvidia.com>

next prev parent reply	other threads:[~2024-02-29 13:55 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-02-29 13:11 [PATCH net] geneve: make sure to pull inner header in geneve_rx() Eric Dumazet
2024-02-29 13:55 ` Jiri Pirko [this message]
2024-02-29 13:57   ` Eric Dumazet
2024-03-04 10:00 ` patchwork-bot+netdevbpf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZeCMygAPmudDnqbS@nanopsycho \
    --to=jiri@resnulli.us \
    --cc=davem@davemloft.net \
    --cc=dsahern@kernel.org \
    --cc=edumazet@google.com \
    --cc=eric.dumazet@gmail.com \
    --cc=fw@strlen.de \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=syzbot+6a1423ff3f97159aae64@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.